[REQ][200 points]Solve my login cookie problem

[pokefan2]

I will give 200 points to whomever can fix my code to work with cookies. What I need to stay is the link to the register page, and once I am logged in, the link to logout, and a script I can use to read cookies on other pages.

PHP Code:

<?php

include "connect.php";

if($loggedin == '0')
{
if(isset($_POST['submit']))
{



if((!isset($_POST['username'])) || (!isset($_POST['pass']))
|| ($_POST['username'] == '') || ($_POST['pass'] == ''))
die("Please fill out the form completely. <br><br>
<a href=index.php>Continue</a>");


$player = @mysql_query("SELECT id, username, password, registered, lastlogin FROM players WHERE username = '".$_POST['username']."'");
$player = @mysql_fetch_assoc($player);

if($player['id'] == false)
die("Sorry, that user is not in our database.<br><br>
<a href=index.php>Back</a>");
else if($player['password'] != md5($_POST['pass']))
die("Wrong password!<br><br>
<a href=index.php>Back</a>");


$_SESSION['id'] = $player['id'];
$_SESSION['username'] = $player['username'];
$_SESSION['password'] = $player['password'];


$date = date("m/d/y");

$update = @mysql_query("UPDATE players SET lastlogin = '$date' WHERE id = '".$_SESSION['id']."'");

echo 'You are now logged in.';

}
else
{
echo 'You are not logged in. <br><br>
<form action=index.php method=post>
Username: <input type=text name=username><br>
Password: <input type=password name=pass><br>
<input type=submit name=submit value=Submit>
</form>
Would you like to <a href=register.php>register?</a>';
}
}
else
{
echo 'You are logged in! 
Welcome back to Wolf Magic, '.$_SESSION['username'].'!
<br><br>
<a href=logout.php>Click Here to Logout</a>';

}

?>

Thanks to whoever solves this.

[xPlozion]

Hello, it's me again. I'm working on your code and will post the results when I am done. BTW, for future reference, never under any circumstance allow anything to go into the database without first properly sanitizing the string. Can create a mess if someone uses mysql injection (could erase your database)

PHP Code:

<?php

/**********************
FILE: login.php
MODIFIED BY: xPlozion
ORIGINAL BY: pokefan2
**********************/

// include "connect.php"; // You do not need connect.php as it's called by the page below.
include "check_user.php"; // You'll see down below ;)

if ($loggedin !== TRUE) { // Then allow this to begin. If the user is logged in, then he doesn't even see this page.
    if(isset($_POST['login'])) { // If he/she clicks the login button on the login form
        if(!empty(trim($_POST['username'])) && !empty(trim($_POST['password']))) {

            $username = mysql_real_escape_string(trim($_POST['username'])); // Escapes all ' and " being inserted into the database to prevent injection
            $password = sha1(trim($_POST['password'])); // Encrypts the password with sha1 encryption (no need to escape because it encrypts it before it's sent)

            if ($query = mysql_query("SELECT id, password, lastlogin FROM players WHERE username='$username' LIMIT 1")) { // Uses escaped username and not directly from the form and checks if it was executed properly (no errors like missing users or w/e)
                $result = mysql_fetch_assoc($query);

                if ($result['password'] == $password) { // If the the password in the database is the same as what the user sent...
                    setcookie('uid', $result['id']);
                    setcookie('username', $username);
                    $date = date('m/d/y g:i A', time()); // Example 08/25/08 9:10 PM
                    mysql_query("UPDATE players SET lastlogin='$date' WHERE id='".$result['id']."' LIMIT 1"); // Get in the habbit of using LIMIT 1 when only dealing with one field (such as in this case)
                    echo "You are now logged in.";

                } else {
                    die("Wrong password!<br /><br />
                    <a href='index.php'>Back</a>");
                }

            } else {
                die("Sorry, that user is not in our database.<br /><br />
                <a href='index.php'>Back</a>");
            }

        } else {
            die("Please fill out the form completely. <br /><br />
            <a href='index.php'>Continue</a>");
        }

    } else {
        echo "<form action='index.php' method='post'><div>
        Username: <input type='text' name='username'><br/>
        Password: <input type='password' name='password'><br/>
        <input type='login' name='submit' value='Login'>
        </div></form>
        Would you like to <a href='register.php'>register?</a>";
    }
} else {
    echo "You are already logged in.<br /><br />
    <a href='index.php'>Continue</a>";
}

?>

PHP Code:

<?php

/**********************
FILE: check_user.php
ORIGINAL BY: xPlozion

DIRECTIONS:
Include this file by having:

include 'check_user.php';

on the first line of any page that you want to check the login status of the user.

**********************/

include "connect.php";

if (!empty($_COOKIE['uid']) && !empty($_COOKIE['password'])) { // Check to see if the user has the cookies set

    $uid = mysql_real_escape_string($_COOKIE['uid']);  // Again, sanitizing anything going into the database not directly defined by the script
    $check = mysql_fetch_assoc(mysql_query("SELECT username, password FROM players WHERE id='$uid' LIMIT 1"));
    if ($check['password'] == $_COOKIE['password']) {
        $loggedin = TRUE;
        $loggedin['uid'] = $uid; // You can use this variable and the one below in any part of the site, as long as you include this script 
        $loggedin['username'] = $check['username'];
    }
}

?>

Place the following code where you deem nessecary.

PHP Code:

if ($loggedin == TRUE) {
    echo 'You are logged in! 
    Welcome back to Wolf Magic, '.$loggedin['username'].'!
    <br /><br />
    <a href='logout.php'>Click Here to Logout</a>';
} else {
    echo 'You are not logged in.<br /><br /><a href='login.php'>Click Here to Login</a>';
} 


That script still allows you to do what you needed (although I don't understand why you were calling registered in the first mysql_query... The second script allows you to check whether or not the user is logged in.

If you need to allow people that are logged in other features in the same page, then do

PHP Code:

if ($loggedin == TRUE) {
    // STUFF GOES HERE (JUST FOR LOGGED IN MEMBERS)
} 


If there is any problem with this script, any whatsoever, please, don't hesitate to let me know, whether by PM or reply. I am _ALWAYS_ here to help people learn.

[Brandon]

pokefan2: Did he solve your problem? If so you need to pay him his points.

[xPlozion]

according to his profile:

Last Activity: 08-25-2008 01:48 PM

[Brandon]

Going to give the user one more day before admin intervention is put forth.

[kkenny]

Just a reminder for Brandon, it's been one day.

[pokefan2]

Sorry, I have not looked at this post in a while, I shall try to test it in a minute.

I am sending the credits now.

[xPlozion]

ty, post any errors if there's any and i'll work on it ;)

[pokefan2]

This is closed